none
VB - Substitute RootDSE for another domain....

    Question

  • I have a script that uses RootDSE and fills the value with that of the domain I am currently logged into to find the FSMO roles of the domain.  Example below is part of the script showing the section to retrieve the Schema master.

    Set objrootdse = GetObject("LDAP://rootDSE")

    ' Schema Master
    Set objschema = GetObject _
        ("LDAP://" & objrootdse.Get("schemaNamingContext"))
    strSchemaMaster = objschema.Get("fSMORoleOwner")
    Set objNtds = GetObject("LDAP://" & strSchemaMaster)
    Set objComputer = GetObject(objNtds.Parent)
    strSchemaMaster = objComputer.dnsHostName

    I would like to use this script to look at FSMO roles of other domain without having to log into them.  Is there a way to replace the RootDSE setting and allow the input of another domain?

    Thanks,

    Dave

     


    Dave
    Thursday, June 30, 2011 12:25 PM

Answers

  • If you want to use the RootDSE object in the other trusted domain, I would try:

    Set objRootDSE = GetObject("LDAP://server.otherdomain.com/RootDSE")

    This requires the DNS name of a DC in the other domain. It seems you often need to specify a DC in the other domain, so this might also work:

    Set objSchema = GetObject("LDAP://server.otherdomain.com/cn=Shema,cn=Configuration,dc=otherdomain,dc=com")


    Richard Mueller - MVP Directory Services
    • Marked as answer by Dave Casson Thursday, June 30, 2011 5:39 PM
    Thursday, June 30, 2011 3:49 PM
    Moderator

All replies

  • To do this without providing credentials, there must be a trust established with the other domain. You would hard code the DN of the schema container in the other domain. For example:

    Set objSchema = GetObject(LDAP://cn=Schema,cn=Configuration,dc=OtherDomain,dc=com)

    Otherwise, you can use alternate credentials. Details and some examples at this link:

    http://www.rlmueller.net/ADOAltCredentials.htm

     


    Richard Mueller - MVP Directory Services
    Thursday, June 30, 2011 2:17 PM
    Moderator
  • I tried that.  I tried the following syntax.

    Set objrootdse = GetObject("LDAP://DC=abc,DC=domainname,DC=net")

    and got the following error:

    Run-time Error '-2147463155(8000500d)':
    The directory propertyy cannot be found in the cache.

    We have full trusts between the domains I am going to query.

    Or are you saying skip the RootDSE line altogether and use the syntax you set?

    I think I tried that and it did not work also

    Thanks,

    Dave


    Dave
    Thursday, June 30, 2011 3:04 PM
  • A simpler solution would be to use the rootDSE from the required domain.

    strDNSDomain = "my.domain.com"

      If IsEmptyString(strDNSDomain) Then
        strConnect = "LDAP://rootDSE"
      Else
        strConnect = "LDAP://" & strDNSDomain & "/rootDSE"
      End If 'IsEmptyString(strDNSDomain)

    Set objrootdse = GetObject(strConnect)

    isemptystring is a custom function i have written, you would need to adjust accordingly.

     


    Thursday, June 30, 2011 3:17 PM
  • Thanks!   Will give it a try and let you know how it works.

    Dave


    Dave
    Thursday, June 30, 2011 3:30 PM
  • If you want to use the RootDSE object in the other trusted domain, I would try:

    Set objRootDSE = GetObject("LDAP://server.otherdomain.com/RootDSE")

    This requires the DNS name of a DC in the other domain. It seems you often need to specify a DC in the other domain, so this might also work:

    Set objSchema = GetObject("LDAP://server.otherdomain.com/cn=Shema,cn=Configuration,dc=otherdomain,dc=com")


    Richard Mueller - MVP Directory Services
    • Marked as answer by Dave Casson Thursday, June 30, 2011 5:39 PM
    Thursday, June 30, 2011 3:49 PM
    Moderator
  • That worked perfect.  I tried a similar syntax earlier on my own and was off by one character.  I tried my.domain.com & RootDES instead of my.domain.com/RootDSE.

    Thanks for the help. 

    Dave


    Dave
    Thursday, June 30, 2011 5:39 PM